Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

TechnologyResource writes "When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message — people just don't call me that often. But the iPhone is indeed a phone, as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store. The application in question, mogoRoad, is a real-time traffic monitoring application. As invasive and despicable as that sounds, it raises another question: how did the company get hold of the contact information for those users? Mogo claims the details were provided by Apple, but Apple doesn't disclose that information to App Store vendors. French site Mac 4 Ever did some digging (scroll down for the English version) and determined it was possible — even easy — for an app to retrieve the phone number of a unit on which it was installed."

as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store.

This was an interesting bit that wasn't explained anywhere in the article. What kind of phone calls they get? Asking for user feedback of the app, marketing other products (maybe on other platforms)? Late night drunk calls?

But for that matter, I've always though that phone apps have access to your number anyway. It just makes sense, same way that PC apps have access to your IP address and other personal data saved on the machine.

Not that it's that bad anyway. Many kind of software need better access to the

I'd mod you down for not even bothering to RTFA, but claiming that it didn't say what the calls were about is a bit disingenuous.

From the very first link:Several commenters on the store say they&#226;&#8364;(TM)ve received phone calls from the company behind the application after they downloaded the free version, inviting them to shell out money for the full version.

You might like to take a look at the names that PC apps have too. Sometimes the name is completely off from the actual usage of the app, or is some twist to refer computer thing to a real world "equivalent"

But for that matter, I've always though that phone apps have access to your number anyway. It just makes sense, same way that PC apps have access to your IP address and other personal data saved on the machine.

In my opinion a smart phone is a phone AND its also a computer/internet portal, not the two combined. There is no reason for the two to be linked or to share information. It's more like your PC apps having access to your IP address and also your street address (or even your home phone number). The two don't need to be (and shouldn't be) linked.

Sure it is possible to link the two together if needed by law enforcement or something, but it definitely shouldn't be available all the time.

as some users are reportedly being reminded when they get phone calls from the publishers of a free app they've downloaded from the App Store.

This was an interesting bit that wasn't explained anywhere in the article. What kind of phone calls they get? Asking for user feedback of the app, marketing other products (maybe on other platforms)? Late night drunk calls?

But for that matter, I've always though that phone apps have access to your number anyway. It just makes sense, same way that PC apps have access to your IP address and other personal data saved on the machine.

Not that it's that bad anyway. Many kind of software need better access to the information to function to function. Answering machine software needs access to the phone book to show who called, or to make custom rules.

I dont think that the issue is really that the phone number and other data are available, but more on abusing said info. With Apple's really closed approach and the app store, it would probably be a good idea to send info about the abuse to Apple directly. Technically the apps require access to information to function.

As a side note, most of us probably think that "real-time traffic monitoring application" refers to internet traffic. I looked it up and it's actually about road traffic, not about internet stuff:)

Its not an issue that its available, its an issue that its getting sent back to the vendor.

Android asks you to agree that the app you are intending to install can access a list of various services etc it is then up to you whether you agree or not, you can also revoke permissions for installed apps if you change your mind later.

That is factually incorrect. While apple relays on App Store reviewers and cersorship for enforcing security on their platform Symbian relies on Certificates.

Certificates are issued at various levels: from home brew developer (install on one phone) to Software firm (installs on all devices). Also certificates are issued with various capabilities like reading contacts, sendind sms, sending data, accessing camera/microphone, being able to read or write system files etc. During the installation of a Symbian p

That's nothing. You can use the Core Location Framework [apple.com] to figure out where they are. So I sold an application to celebrities only that shows them where the paparazzi are, it's called iAvoidPaparazzi. Then iAvoidPaparazzi sends my server their location which gets fed into another application called iMolestCelebs that I sell to tabloids and paparazzi. Then their information comes back to my server and gets fed out to iAvoidPaparazzi. Yeah it took me a few weeks to prime the pump so to speak but once this gets rolling I'm sure I'll make some huge bank off of it... at least until I get shutdown after I take the heat for a few Princess Dianas. *sigh* A man can't make an honest living these days...

That's actually the point : when an app makes use of the CoreLocation framework, an alert is displayed automatically by the iphone to request the user's permission to get his location. It should be the same when an app tries to access the user's personal data. mmmhâ¦

I get the whole racket thing, and it's a joke, etc, etc, but it's worth noting that you can turn the entire Core Location framework off on a system-wide basis. You just go in to Settings->General and turn off "Location Services".

Plus, it's just a phone call, on your phone. Let's not get this out of proportion - I can think of worse things than getting a phone call. Have a little fun - shout and swear down the phone; make wild promises to buy stuff but pull out at the last minute with a stupid excuse etc; if you have kids, get them to answer it and talk nonsense to them until they hang up etc. It works for me.

I do something similar on my home phone, i have asterisk answer and play through a few sound samples, usually of famous people... Some of the marketing callers stay on the line for quite a while trying to sell stuff to arnold schwarzenegger.

There is a hoax running especially in Europe, +358 or similar number, similar to Italy code (+35). Once you get a "ring" from that line or tricked calling it, your phone bill will be doomed. I speak about thousands of dollars (euros) here and you can't get that money back.

They can't filter the number too since telecom system only allows +35**** to be banned, which would mean Italy would get blocked.Problem of these guys was finding juicy rich people. Just imagine some iphone freeware vendor supplies it to t

Symbian Signed can access such critical data and basically you aren't getting a certificate if you don't explain the company who is in charge of signing it the reason you want to transmit users phone number.

Gathering ones phone number via application require "root access" in terms of UNIX. All of these policies have been setup by smart phone OS vendors because of real life issues. Apple simply ignored all the experience others gathered and rolled their own.

There is a hoax running especially in Europe, +358 or similar number, similar to Italy code (+35). Once you get a "ring" from that line or tricked calling it, your phone bill will be doomed. I speak about thousands of dollars (euros) here and you can't get that money back.

While another reply to you pointed that the +358 stuff was an urban legend (although same snopes articles confirms similiar scheme at lower but still exorbinant rates are afoot) - it still points to me how ridiculous the phone industry is that you don't get a price when placing or recieving the call (before I am told it can't be done - the phone company sure has no problem tallying up for millions of people every month).

Actually, the whole scheme where the person recieving the call pays is ridiculous since

There is a hoax running especially in Europe, +358 [...] Once you get a "ring" from that line or tricked calling it, your phone bill will be doomed. I speak about thousands of dollars (euros) here and you can't get that money back.

I never understood this line of reasoning. The situation is as follows:

Phone company bills you $HIGHBILL

You disagree with the bill, but say "OH NOES I HAS TO PAY" and then proceed to pay??!

You sheeple are owned by the cooperations.

Two months ago, I got an incorrect bill. I proceeded to pay the amount that I thought was correct, and wrote them a snailmail note saying why the bill was wrong. Of course, it got ignored and I received reminders, which I returned with a copy of said note. Two months later, the ph

Exactly. Who in their right mind would want to pay for incoming calls? Bizarre? Doesn't the first company which charges YOU for the calls YOU make and doesn't make you pay for spammers and cold callers wasting your time get to pick up just about every mobile user in the States??

I know it sound odd, but there is a small market for just that in the UK. I work for a mobile phone company, and I have two phone numbers. One is a normal mobile phone number, and you pay to ring it as usual. The other is a "landline" number - you pay at landline rates to ring it, and my company picks up the difference. There's also some fairly sophisticated PABX functionality on the "landline" number - hunt groups, black/white listing, out of hours handoffs etc. Personally I never use it, but some customer

Just have the app demand the Location Services to be on.How and why? Make that a necessary requirement for sending your "friends" "gifts", such as "teddybears", "kittens", "kisses", "pokes" etc.You know... like on Facebook.

On my iphone, anytime an app wants to use my location I get a request to allow it to so do. If any app that uses the location service I know that it is happening. This is in fact what apple is supposed to be protecting us for in exchange for us agreeing that the iTunes App store is a good idea. Developers have to obey certain rules, and the user has some protection against mal ware.

So if this is happening, then it is a failure on Apples part. We do expect data on our phones to be private, and for Appl

I guess some people are just so frugal and introverted that any use of their time or minutes results in a temper tantrum, like some arrogant teenager when the unwashed have the audacity to talk to them.

And you'd be right in a tiny fraction of the population's cases. For the majority, however, a better guess would be that were they asked to provide their iPhone number to the vendor, they would have declined to do so. However since they were not asked and the app took the number any way, they were understandably aggravated.

It isn't the phone call that is important at all. It is the power to decide, and with whom that power ultimately rests.

And if you genuinely cannot see that, I can only hope you do not live in the same democracy that I do...

If we make a call, that phone number is transmitted to the person we are calling. If we install an app on the iPhone, while all items on the phone we can expect to be private, I think a case can be made for and against the phone number.

When I make a call, I understand that the person will receive my phone number. When I play a game of backgammon, I don't expect my number to be harvested. Tell you what--if you don't think this is a big deal, go ahead and post your phone number here on slashdot.

I've been amused recently as the iPhone Fanbois go on and on about how the App Store is such a great thing because Apple will protect their private information.

If the user has Location Services turned off, it'll tell you that it refused the app, and the app gets nothing.

If the user has Location Services turned on, it'll prompt the first time the app asks to use the service. If you say yes, then it'll remember from then on what you decided the first time, so no more prompts. If you say no, you get another prompt next time the app is launched. It's kind of like UAC as it should have been, so nothing like UAC on Vista.

"When a couple of voicemails didn't show up recently, I thought nothing of it until a friend asked me if I'd gotten his message -- people just don't call me that often

It may not be the iPhone's fault, but the fault of one of the carriers. Neither my daughter or I have iPhones, but very often voicemail messages and texts I send her don't get there. She has the same problem with one of her friends' phones, and her friend doesn't have an iPhone, either.

At least one server-based game I was looking at a network capture for was using the phone number as the login/authentication information to their server....rather stupid as it meant that anyone able to guess iPhone phone numbers would be able to hack other users accounts of the game...WHOOPS!

Was it only the phone number that was used to auth, or some other info like phone id etc along it? No user password?

If it was just phone number, that's pretty stupid. But if you include some phone specific id aswell, it makes it a little more secure. Granted, some other app could generate the same id when installed, but with Apple's closed approach that is a little bit harder and you would need to get the both apps installed on same phone.

What are the chances that mainstream media would ever do this kind of investigative journalism? Or take seriously this kind of investigation done by an individual. Mainstream media like newspapers always claim that they have the upper hand over bloggers because they can do serious investigation.... but concerned people with time on their hands far outnumber journalists. This is a great example of that... and it's very telling that no mainstream news has yet to carry this.

And I think it's serious, because I'm sure this violates a few laws, at least in my country.

iPhone applications can retrieve ALL information from your phonebook including names, addresses, and phone numbers. It does not need your permission either, there is no confirmation popup like with the location functions.

not if that app is run under credentials that don't have access to that address book. That sounds silly for an iphone, but that is exactly why internet facing applications on my box run as their own user and not root/myuser. Apache runs with Apache privileges.

This is a real-life example of how the Android permission model is pretty well thought-out. Any time you install an app from the Market, you're presented with a list of all the hardware and software resources that it utilizes. Installing a tip calculator? When you see that it needs permission to read/write contact data, access your location and have full internet access, some giant red flags should go up.
True, you can't tell what exactly the app is actually doing with those powers you've granted it, b

The Android permissions model works if you are a geek and have the correct magic decoder ring to understand the permissions being asked for. But most people are going to blow through those settings the same way that they blow through the Windows Vista UAC alerts.

I know: the company I'm working for is currently shipping on the Android Marketplace an application which explicitly requests the "Phone calls (read phone state)" and "Services that cost you money (directly call phone numbers)" states--and that hasn't slowed our adoption rate one whit.

(The first is so we can read the IMEI to generate a unique identifier--which is ultimately generated as a one-way hash. The one-way hash makes it impossible for us to go back from the UUID to a specific user or phone--and it works that way because I put my foot down. (Our Prod Manager wanted the user's phone number--to which I responded "No frakkin' way. Fire my ass first.") The second is so when the user asks for more information on a particular business found in our app I can dump him into the telephony application with the phone number pre-loaded. But we do not actually initiate the phone call; the user has to press the "call" button, despite having an API to initiate the phone call ourselves. Again, I put my foot down here--before I suck your minutes I want to know that was what you really wanted.)

Yes, we don't do anything bad. But it's not because the Android permission model slowed us down one microsecond. Thus far we've shipped over 175,000 copies. No; it's because I put my foot down--and I can see that for someone not as stubborn as me, it'd would have been easy for us to capture the location and phone number of 175,000 users and track where they were while they were using our app in real time.

I don't entirely agree that most users will "blow through them", but I understand that some will.

Obviously, it's a social engineering problem.

As the GP pointed out, if a tip calculator needs access to the Internet and your address book, you can legitimately say something here is amiss. If a program that sends free SMS messages needs your phone number, I'm not sure if that's legitimate or not. It seems like it would be. And even if they do need it to send SMS messages, what they do with it after that is u

There isn't a single other phone allowing this. On Symbian, you can't simply make your app "call" a number or send a sms without user getting a huge warning on screen.

That's not my interpretation of the situation. The iPhone isn't being turned into some sort of botnet. If you download certain free apps on the iPhone, the apps is accessing the phone number of the phone and sending it back to the company that made the app. The company then is calling the iPhone number trying to convince the user to pay for

As much as this may be on Apple, any good software developer should be asking the user for authority to share/access that information to begin with, specially if it's going to lead to sales calls down the line. Since it looks like mogoRoad didn't (at least there's no mention of this anywhere) it's telling that they really don't care about user privacy.

Apple could probably solve this by encapsulating any data on the iPhone with a framework that forces UI authorization before any app on the iPhone is allo

If Apple really did care about your privacy then the functionality just would not exist, and at best it would be a hack. As it stands it's just an undocumented feature.

It's great to rely on 'developer integrity' and all ya' know, but those developers are motivated by a need to generate a return. It's hard for anyone to expect a management team *not* to instruct a development team to extract said information and feed it into a marketing team. I've got two ideas for iPhone applications iWantYourMoney and iWantYourInformation supported by the iPwned you framework.

Seriously people it's like putting a 9 year old in front of a big red button with a sign under it saying 'Do not press this button' and saying to the kid 'Don't touch that button kid'. I'd expect the management teams to be saying 'what other user information can you extract'.

That's not to say Apple shouldn't secure this. They should. But there's no button, and there's no sign. Undocumented means someone has poked through data downloaded from an unlocked phone to find where the phone number is stored.

fair enough. Telling the kid that there might be a present up in that wardrobe somewhere and not to look for it. I was just making it up as I went along. But implementing that functionality inside the ifone would have taken a series of overview meetings, management decisions, implementation meetings and developer resources to achieve.

The bottom line is the functionality was there to be discovered as opposed to not there to be discovered. As such the discussion is about "securing th

It's well known that apps can detect when they've been pirated on the iPod Touch and iPhone (it's completely detectable, and works 100% since DRM'ed versions should not have the extra entries). In fact, these apps have been known to report back to the host practically everything about the device - UUID and other things (it was posted in one of the forums how to do this, and what you should do if you detect it).

Funny enough, the crackers have also discovered the apps doing this and work around it...

I have written applications on just about every smartphone plaform, and I have never met an API did that did not have the ability to query the phone number of the device. Assuming you have a data plan (in many cases, the only way to get the app in the first place), its a tiny amount of code to post that information to a web page the first time the application runs. Some platforms, such as the Android, do indicate when an application has access to use the Internet, but its not trivial to find out exactly what information is going back and forth.

This issue has always been there, and is no more of a problem on an iPhone than other similar platforms.

That's muddy waters... Does downloading a demo ("free") app constitute a "business relationship"? As for telemarketing calls to cellphones, it's certainly despised, but I don't think it's illegal these days -- for starters, it's impossible to know the number you're dialing is a cellphone, or has been directed to a cellphone. The days when an NPANXX could tell you a location and service provider are long past. (any number can be assigned to anyone, anywhere.)

but. . . but. . . security is one of the claimed reasons for sandboxing applications on the iPhone. Apple is lying? Tell me it ain't so!

No, not lying, just complacent.

There should be an option to restrict this, and sandboxing does in fact give Apple the option to add it in the future - it does increase security by not allowing direct access to system files. All access to stuff like phone numbers and addresses is only via an API which Apple control, which they can modify at any time to pop up a dialog asking the user (see their restrictions on core location data).

You ask the user for their identifying information, if they don't willingly give it, you stop there.Period. Anything else is a great way to get permanently blacklisted. Seriously stupid mistake.(Never mind that in North America that solicitation calls on a cellphone are seriously frowned upon)

This behavior is explicitly unacceptable. The fact that it has been done is a failing of the app review process. It's also possible that the developers went to great lengths to hide this behavior (such as setting it up to only happen when a particular flag is flipped on on the server so that it wouldn't happen during review processes.) As a registered iphone developer who actually reads his agreement documentation, I can assure you this particular issue is specifically addressed. The application in ques

Every mobile platform I've ever used gives applications read-only access to basic phone parameters. There is nothing new here. Knowing your
phone number, knowing battery status, knowing if you're in coverage - all useful information. What the developers are doing with it
in this case is highly questionable, but it's always there.

Actually manipulating the call progress from an application is a privileged operation, as it should be. I encountered this in a Brew application
where I wanted to examine the call

The problem here is not with the technology, but with the business ethics of the company involved. It's not like discovering the phone numbers of consumers has been outright impossible before, it's merely become simple enough in this particular instance that an unscrupulous company thought it was worth the effort.

To be honest I am a quite new iPhone user and althought I should have expected the same behaviour on iPhone apps we see on the computer side, I didn't. Now I have UDIDFaker installed as well as the update hosts file.

Reading some of the info that gets stolen, such as Storm8 stealing phonenumbers combined with Apple not caring really scared me.
UDIDFaker and compiledadhosts are two packages that will ALWAYS be installed on my iPhone.

Its not about internet traffic, but road traffic data. I would guess the application sends your location to a server which in return sends traffic data back about the surroundings. I didn't find english site tho, so might be wrong.

Not that it's really invasive anyway if the user wants that kind of app.

I know, I had to read it a few times as well. The way over the top reaction wasn't to the immediate prior sentence. It was to two sentences before. When I finally realized that the submitter flew off the handle about receiving solicitous phone calls from the company that published a free app these people had downloaded, I too, was a little ticked off at the thought of it. Of course, it wasn't until I got over the smugness of the submitter wasting my time with the whole discussion about how so few people act

Because you cant install apps from elsewhere than the app store - unless you jailbreak your phone, but that comes with problems too and the fact you have to do it. Windows Mobile is a lot more open in this matter, since you can install your.cab file no matter where it came from, and you're not restricted to the app store.

Interface. To me that is asking a question akin to "I have a scrolling device and a button, why do I need all these other keys?". I can just scroll to character I want and select it! Plus I don't think you can use all of the corelocation features, or the coregraphic features, or the coreaudio features, with a web app.